Major Silk Road 2.0 hack costs bitcoin users millions of dollars

Chain of block erupters used for Bitcoin mining is pictured at the Plug and Play Tech Center in Sunnyvale, California (Reuters / Stephen Lam) / Reuters

Users who had flocked to the reincarnation of the ‘dark web’ Silk Road marketplace were handed bad news on Thursday when site administrators announced that they had been hacked by users who made off with millions of bitcoin.

The original Silk Road, which was by all accounts a marketplace
where users could solicit any number of criminal services
anonymously, was first launched in 2011. Founded and operated by
a user known only as Dread Pirate Roberts, the site helped
popularize the bitcoin crypto-currency and reportedly had trade
revenue of $1.2 million USD every month. The site was shut down
by the FBI in October 2013, with police alleging that Dread
Pirate Roberts is in fact the alias of one Ross William Ulbricht.

While Ulbricht awaited trial on charges including murder-for-hire
and narcotics trafficking the Silk Road was relaunched. Yet the
site's future was put into doubt again on Thursday when an
administrator who identified himself as “Defcon” explained on the
site's forums what had happened.

“I am sweating as I write this...I must utter words all too
familiar to this scarred community: We have been hacked,” he
wrote. “Our initial investigations indicate that a vendor
exploited a recently discovered vulnerability in the bitcoin
protocol known as 'transaction malleability' to repeatedly
withdraw coins from our system until it was completely
empty.”

Defcon did not disclose the exact number of bitcoin that was
stolen yet Nicholas Weaver, a researcher at the International
Computer Science Institute, told Forbes that approximately 4,400
coins were taken, equaling about $2.6 million.

“Stop at nothing to bring this person to your own definition
of justice,” he wrote.

The sudden loss of online cryptocurrency was blamed on a bitcoin
protocol bug that also led to several exchanges halting
withdrawals last week, including Mt Gox.

But users were not convinced. Many pointed to the long-held claim
of security experts who assert that transaction malleability,
while a problem, is not an issue deep enough to permit such a
vast theft.

“Oh this is rich. How many users called for the shutdown of
SR2 to fix the problems? They were ignored,” wrote one
skeptic. “Admins did this. Not some vendor.”

Defcon denied that he was involved in the site's compromise.

“I didn't run with the gold,” he said. “I have
failed you as a leader, and am completely devastated by today's
discoveries...It is a crushing blow. I cannot find the words to
express how deeply I want this movement to be safe from the very
threats I just watched materialize during my watch.”

Since the initial Silk Road was shut down in October, a number of
former competitors rushed in fill the void. Administrators for at
least three of those sites disappeared after stealing users'
bitcoin and another two voluntarily closed down after they were
hacked.

One site, known as Sheep Marketplace, was victimized to the tune
of $6 million in bitcoin by one administrator who said he found a
weakness in the site's security. Similarly, Black Market Reloaded
announced that it was unable to accommodate the massive influx of
ex-Silk Road users.

“Without competition the wisest thing to do is to shut down
the market, doing it in a timely and orderly manner,” wrote
one administrator without mentioning an expected return date.
“We will be back up. But to speed up we need to close shop.
Don't worry, we don't rip [off] anyone and will be back stronger
than ever.”